In an interim final rule issued October 21, 2021, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) announced new Export Administration Regulations (EAR) controls on “cybersecurity items,” including “intrusion software” products and technology. The interim final rule is effective January 19, 2022, and BIS is accepting comments on it until December 6, 2021. Those potentially impacted by the new controls include developers of cybersecurity software (e.g., penetration testing tools, antivirus and threat-detection software), cybersecurity service providers, cybersecurity research organizations, cybersecurity-related law enforcement agencies, IT system administrators, and cyber forensics professionals.
BIS is amending the EAR to control items used in malicious cyber activities, defined to include surveillance, espionage, or other actions that disrupt, deny or degrade networks or network devices. The rule attempts to balance these new controls against legitimate uses of such items by the cybersecurity community, which balked at the terms of a similar rule proposed in 2015. The move comes amid BIS’s increased focus on malicious cyber activities, and was soon followed by the addition of four cybersecurity firms based in Israel, Russia, and Singapore to the BIS Entity List for allegedly selling cyber intrusion software for use by bad actors, barring those entities’ access to U.S.-origin products, software, and technology absent BIS authorization.
The Covered “Cybersecurity Items”
The rule imposes National Security (NS) and Anti-terrorism (AT) controls on systems, equipment, components, and software specially designed or modified for the command and control, delivery, or generation of “intrusion software,” and on IP network communications surveillance systems or equipment. The newly proposed ECCNs are 4A005, 4D004, 4E001.c, and 5A001.j.
The new term “intrusion software” encompasses software specially designed or modified to avoid detection by “monitoring tools” (e.g., antivirus software and firewalls) or to defeat “protective countermeasures” (i.e., techniques designed to ensure the safe execution of code, such as sandboxing) of a computer or network-capable device, where the intrusion software could extract data or information from a computer or network-capable device, modify system or user data, or change the standard execution path of a program or process in order to inject unauthorized code.
Because of exclusions from the definition of “intrusion software,” we expect no impact on the export of (1) hypervisors (also known as “virtual machine monitor” or VMM), debuggers, or Software Reverse Engineering (SRE) tools; (2) Digital Rights Management (DRM) software; or (3) software designed to be installed by manufacturers, administrators or users, for the purposes of asset tracking or recovery. Also excluded are software items providing basic updates and upgrades, as well as items for “vulnerability disclosure” or “cyber incident response.”
The rule would also not impact (1) certain information security items subject to NS and AT controls due to incorporation of encryption functionalities (a broad category of items that will substantially narrow the rule’s impact), (2) items controlled for Surreptitious Listening (SL) reasons, or (3) items subject to the International Traffic in Arms Regulations (ITAR).
New License Exception “ACE”
A new License Exception called Authorized Cybersecurity Exports (ACE) would authorize exports of otherwise covered items for legitimate cybersecurity research and incident response activities to all destinations except Cuba, Iran, North Korea, and Syria, if the items are not also subject to more stringent controls (e.g., as information security items or surreptitious listening items).
License Exception ACE is unavailable:
- For export to black-hat hackers, i.e., where the exporter knows or has reason to know that the item will be used without authorization to affect the confidentiality, integrity, or availability of information or information systems;
- For export to “government end users” in Group D countries, i.e., the group of 48 countries listed in Country Groups D:1 through D:5 of the EAR, such as Belarus, Cambodia, China, Egypt, Georgia, Libya, Pakistan, Russia, Saudi Arabia, Venezuela, Vietnam, and Zimbabwe, except that ACE is available for exports to “government end users” in Taiwan, Cyprus, and Israel for certain benign, identified purposes;
- For export to non-“government end users” in Group D countries, except that ACE is available for exports to foreign subsidiaries of U.S. companies and to non-U.S. banks, financial service providers, insurance companies, and civil health and medical institutions; and to persons responding to cybersecurity incidents and identifying, reporting and communicating vulnerabilities; and
- For deemed export to “government end users” in Group D countries or to nationals of Cuba, Iran, North Korea, and Syria, although ACE is available for deemed export to non-“government end users” in Group D countries.
The new rule is narrowly focused but will impact some who are directly involved in the cybersecurity industry. If a company determines that an item is not subject to the new cybersecurity controls or is eligible for License Exception ACE, it should maintain records on how and when such determination was made.